{"containers": {"cna": {"affected": [{"product": "hydrogen", "vendor": "Shopify", "versions": [{"status": "affected", "version": ">= 0.10.0, <= 0.18.0"}]}], "descriptions": [{"lang": "en", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T20:30:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}], "source": {"advisory": "GHSA-6j22-wv8g-894f", "discovery": "UNKNOWN"}, "title": "Potential cross-site scripting (XSS) vulnerability in Hydrogen", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29230", "STATE": "PUBLIC", "TITLE": "Potential cross-site scripting (XSS) vulnerability in Hydrogen"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hydrogen", "version": {"version_data": [{"version_value": ">= 0.10.0, <= 0.18.0"}]}}]}, "vendor_name": "Shopify"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f", "refsource": "CONFIRM", "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"name": "https://github.com/Shopify/hydrogen/pull/1272", "refsource": "MISC", "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"name": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0", "refsource": "MISC", "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}]}, "source": {"advisory": "GHSA-6j22-wv8g-894f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.175Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29230", "datePublished": "2022-05-18T20:30:13", "dateReserved": "2022-04-13T00:00:00", "dateUpdated": "2024-08-03T06:17:54.175Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "17B85941-2E8A-464A-B36A-D690068208CA", "versionEndExcluding": "0.19.0", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}, {"lang": "es", "value": "Hydrogen es un marco de trabajo basado en React para la construcci\u00f3n de escaparates personalizados din\u00e1micos impulsados por Shopify. Se presenta una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) donde un usuario arbitrario es capaz de ejecutar scripts en p\u00e1ginas que son construidas con Hydrogen. Esto afecta a todas las versiones de Hydrogen desde versi\u00f3n 0.10.0 hasta 0.18.0. Esta vulnerabilidad es explotable en aplicaciones cuyos datos de hidrataci\u00f3n son controlados por el usuario. Todos los usuarios de Hydrogen deber\u00edan actualizar sus proyectos a versi\u00f3n 0.19.0. No se presenta una medida de mitigaci\u00f3n actual, y los usuarios deber\u00edan actualizar lo antes posible. Adem\u00e1s, la Pol\u00edtica de Seguridad de Contenidos no es una mitigaci\u00f3n efectiva para esta vulnerabilidad"}], "id": "CVE-2022-29230", "lastModified": "2022-06-01T19:55:39.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-05-18T21:15:07.823", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}